OpenVPN the better Solution
Since I've used secured environments and networks I was struggling with the configuration of almost all VPN solutions I've seen in my whole career.
OpenVPN came on my personal working table when I've had to handle a static key peer-to-peer connection between 2 companies. At this time the rule was never tunnel TCP over TCP and UDP over UDP. So since I've needed a samba share (a lot of UDP) I tunneled with OpenVPN over TCP.
Success -> after hours of reading configs and if somebody gets the privkey I would have been ...
Anyhow time went by and I stopped permanently miss-configure a OpenVPN Server. When I got in touch with PfSense I found the beautified - working out of the box - webconfiguration of OpenVPN in the Backend of PfSense. Since then I started to live in peace with OpenVpn.
2019 OpenVPN Access Server (openvpnas) appeared on the market. This is a wonderful product and in my opinion the best VPN QUICK and DIRTY but also high configurable Software.
I've never thought that I will say this but I will pay for this because the software is worth every cent.
Starting with cons is not good but for the readers to be faster changing the cons to pros I decided to start with a small bash snippet.
OpenVPN AS does routing / nating on the fly, most of the settings can be applied while the client is connected. This is the biggest advantage ever! Imagine Admin of the network allows one Client to communicate with another client in the VPN. No restart no call no reconnect needed. Just some clicks and the AccessServer fires up some iptable rules on the fly!
But that means that the AS is doing some "impossible to find in config" iptable rules. To take away all the pain of iptable configs the AS configures some rules to access the webinterface on tcp port 943.
So all good all done in a minute, but I WANT TO MAKE PORTNOCKING!
As everybody knows firewall rules are processed sequentially, and if you want to stop openvpnas to open config and vpn ports automatically by blocking them with ufw you are always one step behind.
It took quite a while till i found the settings to change this behavior and tell openvpnas to put all their rules behind mine!
To make Access Server add rules after existing ones (append instead of prepend):
cd /usr/local/openvpn/scripts/ ./sacli --key "iptables.append" --value "True" ConfigPut ./sacli start
Restore default behavior:
./sacli --key "iptables.append" ConfigDel ./sacli start
Up from here you can lock whatever you want and do some portnocking! I do understand the idea behind the decision of the developer team but this advanced topic should be on the first page of openvpns WIKI!